Default password pool so small scientists need just 24 seconds to guess them all.

If you use your iPhone's mobile hotspot feature on a current device, make sure you override the automatic password it offers to secure your connection, because a team of researchers can crack it in less than half a minute by exploiting recently discovered weaknesses.

It turns out Apple's iOS versions 6 and earlier pick from such a small pool of passwords by default that the researchers—who are from the computer science department of the Friedrich-Alexander University in Erlangen, Germany—need just 24 seconds to run through all the possible combinations. The time required assumes they're using four AMD Radeon HD 7970 graphics cards to cycle through an optimized list of possible password candidates. It also doesn't include the amount of time it takes to capture the four-way handshake that's negotiated each time a wireless enabled device successfully connects to a WPA2, or Wi-Fi Protected Access 2, device. More often than not, though, the capture can be completed in under a minute. With possession of the underlying hash, an attacker is then free to perform an unlimited number of "offline" password guesses until the right one is tried.

The research has important security implications for anyone who uses their iPhone's hotspot feature to share the device's mobile Internet connectivity with other Wi-Fi-enabled gadgets. Adversaries who are within range of the network can exploit the weakness to quickly determine the default pre-shared key that's supposed to prevent unauthorized people from joining. From there, attackers can leach off the connection, or worse, monitor or even spoof e-mail and other network data as it passes between connected devices and the iPhone acting as the access point.

"Taking our optimizations into consideration, we are now able to show that it is possible for an attacker to reveal a default password of an arbitrary iOS hotspot user within seconds," the scientists wrote in a recently published research paper. "For that to happen, an attacker only needs to capture a WPA2 authentication handshake and to crack the pre-shared key using our optimized dictionary."

By reverse engineering key parts of iOS, the researchers discovered that default hotspot passwords always contained a four- to six-letter word followed by a randomly generated four-digit number. All the words were contained in an open-source Scrabble word list available online. By using a single AMD Radeon HD 6990 GPU to append every possible four-digit number to each of the words, the researchers needed only 49 minutes to cycle through all possible combinations. Then they stumbled on a discovery that allowed them to drastically reduce the amount of time required.

The hotspot feature, they found, uses an observable series of programming calls to pick four- to six-letter words from an English-language dictionary included with iOS. By cataloging the default passwords issued after about 250,000 invocations, they determined that only 1,842 different words are selected. The discovery allowed them to drastically reduce the number of guesses needed to correctly find the correct password. As a result, the required search space—that is, the total number of password candidates needed to guess a default password—is a little less than 18.5 million.

They were able to further reduce the time required after noticing that certain words on the reduced list are much more likely than others to be chosen. For instance, "suave," "subbed," "headed," and seven other top-10 words were 10 times more likely to be selected as the base for a default password than others. The optimized list in the attack orders words by their relative frequency, so those most likely to be used are guessed first. Given a four-GPU system is able to generate about 390,000 guesses each second, it takes about 24 seconds to arrive at the correct guess.

Among the many security features included in the WPA standard is its use of the relatively slow PBKDF2 function to generate hashes. As a result, the number of guesses that the researchers' four-GPU system is capable of generating each second is measured in the hundreds of thousands, rather than in the millions or billions. The paper—titled "Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots"—demonstrates that slow hashing alone isn't enough to stave off effective password cracks.

Also crucial is a selection of passwords that will require attackers to devote large amounts of time or computing resources to exhaust the required search space. Had Apple engineers designed a system that picked long default passwords with upper- and lower-case letters, numbers, and special characters, it could take centuries for crackers to cycle through every possibility. Alas, passwords such as "3(M$j;]fL[ZU%<1T" aren't easy for most people to use in practical settings. Still, a Wi-Fi password that's randomly generated—say "MPuUjxRpz0" or even "arNEsISIon" will require considerably more time and resources to crack than the default passwords currently offered by iOS.

Readers who use their iPhone's hotspot feature should override the default password offering and replace it with something that's harder to guess. They should also take advantage of the hotspot feature's ability to monitor how many people are connected to the Wi-Fi network. Those who use hotspot features on other mobile platforms would also do well to carefully monitor the passwords protecting their connections. By default, passwords offered by Microsoft's Windows Phone 8 consist of only an eight-digit number, according to the researchers, and depending on the carrier, some Android handsets may also generate default passwords that are easy to crack.

Story updated to fix typo in first sentence, add details about affected iOS versions, and to add detail about "offline" crack in the second paragraph.

You also have only a limited number of fingerprints (10), and irises (2... I presume they're not identical). That means you'll end up reusing the 'credentials' in practice, regardless of how hard you try (unless you have less than 10 accounts... I doubt anyone does), which makes a leaked database all the worse. Especially since you can't change your fingerprints (nor iris). Oh, and don't forget how you're kind of showing them off everywhere you go (remember that you leave your fingerprint everywhere you go!).

Passwords are far, far, far, far better authentication mechanisms. Fingerprints/irises are decent extra factors, but they are by no means a replacement for passwords. Hell, they really aren't even better than smartcards or authenticator tokens/apps (those are much harder to duplicate, and don't require knives to steal!).

890 posts | registered Dec 6, 2009

Latest Ars Video >

First Look: Xbox Adaptive Controller

Ars Technica's Sam Machkovech visits Microsoft for a first-hand look at the company's new controller that focuses on accessibility.

First Look: Xbox Adaptive Controller

First Look: Xbox Adaptive Controller

Ars Technica's Sam Machkovech visits Microsoft for a first-hand look at the company's new controller that focuses on accessibility.

Anyone who cares about good security. Humans are bad at randomness, our minds are geared towards dealing with patterns (something that can be exploited for many illusions, psychological tricks and so forth). A good password generator is very important. Of course, the emphasis there is on good, a junk generator isn't of any more value then whatever someone would normally come up with. Actually kind of doubly odd to see Apple fumble the ball here so badly, the Keychain utility they've included in OS X forever does a decent job of generating passwords.

The time required assumes they're using four AMD Radeon HD 7970 graphics cards to cycle through an optimized list of possible password candidates. It also doesn't include the amount of time it takes to capture the four-way handshake that's negotiated each time a wireless enabled device successfully connects to a WPA2, or Wi-Fi Protected Access 2, device.

At least with a computer with four 7970s in there he won't be able to sneak up on you to steal your wifi password.

Why the HELL does not the authenticator software refuse connections from an address that is sending and failing multiple thousands of login attempts per second? Obviously a real person will not be re-trying anywhere even close to that often.

Why the HELL does not the authenticator software refuse connections from an address that is sending and failing multiple thousands of login attempts per second? Obviously a real person will not be re-trying anywhere even close to that often.

I just updated the story to make clear that once the four-way handshake is captured, attackers perform an "offline" crack attack that allows them to perform an unlimited number of guesses. In other words, the attacker is running guesses through the password hash stored on his own computer. Limiting the number of login attempts made to the hotspot authenticator will do nothing to prevent an offline attack.

So no one did a security related code review at Apple before shipping code that's specifically network authentication related? Or they did, and they just didn't think these passwords would be a problem. Not sure which is worse.

How portable is this attack? Would the iPhone have to be within wifi range of the towerzilla (with four 7970s in it, it'll be big) in order for it to be done, or could a sample of encrypted traffic be taken with another device (laptop, whatever) and then used to crack the password remotely for future use against the same iPhone?

For those curious, ios 7 auto generates a random 12 character alphanumeric string that doesn't use the dictionary. Looks like Apple already has this problem wrapped up.

Although, of course, it's always more secure to generate your own.

I'm not so sure that's true, most people tend to use things they can remember easily rather than something complicated. They did research in the UK where you can set your own PIN on bank cards and they found that a quarter punched in 1234 or something, 0000 was also very popular.

How portable is this attack? Would the iPhone have to be within wifi range of the towerzilla (with four 7970s in it, it'll be big) in order for it to be done, or could a sample of encrypted traffic be taken with another device (laptop, whatever) and then used to crack the password remotely for future use against the same iPhone?

Sounds like it's very portable. You could do the sniffing from a laptop or phone, then offload the heavy lifting to your beast of a system on a different continent.

How portable is this attack? Would the iPhone have to be within wifi range of the towerzilla (with four 7970s in it, it'll be big) in order for it to be done, or could a sample of encrypted traffic be taken with another device (laptop, whatever) and then used to crack the password remotely for future use against the same iPhone?

Sounds like it's very portable. You could do the sniffing from a laptop or phone, then offload the heavy lifting to your beast of a system on a different continent.

Yeah, the update was one of the 'new comments' that got posted while I was writing my own but which I couldn't see. I just had an image of a would-be iPhone hacker wheeling an enormous tower into Starbucks, something like this.

Edit: Linked rather than embedded because the bbCode for making the image smaller is disabled on here for some daft reason.

Why the HELL does not the authenticator software refuse connections from an address that is sending and failing multiple thousands of login attempts per second? Obviously a real person will not be re-trying anywhere even close to that often.

(It's an offline attack, as already explained, but let's ignore that for a second...)

If someone was trying to perform an online attack, and trying to authenticate repeatedly, they could simply change their MAC address between attempts. It's trivial for a machine to do... and it would make the device acting as the router think multiple thousands of unique visitors are trying to connect, as opposed to one person repeatedly. It's the same reason why MAC filtering isn't useful for anything beyond keeping honest people honest.

You also have only a limited number of fingerprints (10), and irises (2... I presume they're not identical). That means you'll end up reusing the 'credentials' in practice, regardless of how hard you try (unless you have less than 10 accounts... I doubt anyone does), which makes a leaked database all the worse. Especially since you can't change your fingerprints (nor iris). Oh, and don't forget how you're kind of showing them off everywhere you go (remember that you leave your fingerprint everywhere you go!).

Passwords are far, far, far, far better authentication mechanisms. Fingerprints/irises are decent extra factors, but they are by no means a replacement for passwords. Hell, they really aren't even better than smartcards or authenticator tokens/apps (those are much harder to duplicate, and don't require knives to steal!).

Automatically generated passwords simple enough to remember are bound to be insecure. Apple should have thrown in a few numbers or symbols to make this just a tiny bit harder.

Have you tried to input symbols on a phone? It sure is annoying. I'm sure Apple wouldn't want to annoy its clients, so they chose simple passwords.

Yes, my home router has a bunch of symbols and numbers in the password. It's a pain, but that's the thing about security - it's a sliding scale between convenience and security. Apple put the slider too close to convenience on this one.

I haven't seen any comments about the poor programming design that lead to this problem. Dictionary + 4 digits I can live with, for ease of use, but the non-random selection of words wasn't very "suave". I'd be curious to see the code that resulted in picking a single dictionary word 0.8% of the time.

I will be SO glad once we move beyond this password lunacy and on to something like iris scanning or fingerprints wiith smart phones.

What? That's incredibly insecure. What do you do when that's digitally compromised? Get new eyes? New fingerprints? Not to mention how trivial it is to artificially duplicate.

You been watching too many sci-fi movies.Iris scanning is incredibly secure. You expect people to be digging out your eyeball?

You were talking about the phone's camera to take the scan, that's not going to be incredibly secure.

Also, how would this situation impact security... you want to let a friend connect to your phone's wireless hotspot... how do you authenticate them? Do you scan their eye with your phone (now you can impersonate them anywhere!), or do they use their device to scan your eye (now they can impersonate you!). Whoops! That's the problem with depending entirely on biometrics. They're easy to duplicate, because they weren't designed to prevent that.

With a password, you can just tell them the current throw-away password and no one has to worry about anything.

Quote:

As for fingerprint scanning also; extremely reliable (unless you anticipate somebody cutting off your finger). BTW, that has happened. Once.

Because fingerprint locks aren't used very often. They can be rather easily stolen, since you leave them behind on most things you touch. And seeing as the device is in your control, you don't even need to defeat anything intended to ensure the "finger" is living, as the reader is under your control to begin with (you only need to digitize the stolen print).

Quote:

Passwords, nowadays are bordering on ridiculous from a security standpoint. And it's only going to get worse.

No they're not. The only problem with passwords are that they're named "passwords" and not "pass phrases", and that too many developers don't have the slightest clue how to store them, despite the massive number of resources telling them to use PBKDF2, bcrypt, or scrypt. A diceware-style pass phrase is absurdly easy to remember, while being virtually impossible to crack if the developer wasn't a "Dave" (and even if they used SHA/MD5, still quite hard to crack).

As for fingerprint scanning also; extremely reliable (unless you anticipate somebody cutting off your finger). BTW, that has happened. Once.

You leave your prints on everything you touch. This is the equivalent of writing your password on your monitor.

You need to think about this more critically. Anything you can record easily can be reproduced easily. Effectively biometrics are just passwords you can never change and which you leave information about everywhere. That makes them very, very weak.

They really only make sense when you can have a human technician sitting there to make sure the iris held up to the camera, the finger under the scanner, or whatever else really is what the machine thinks it is. Thats why they use them for things like passports (where an agent will verify it) or in some countries legal documents (since again, an agent will do the recording). But expecting a machine to figure it out is folly.

"The only problem with passwords are that they're named "passwords" and not "pass phrases", and that too many developers don't have the slightest clue how to store them, despite the massive number of resources telling them to use PBKDF2, bcrypt, or scrypt. A diceware-style pass phrase is absurdly easy to remember, while being virtually impossible to crack if the developer wasn't a "Dave" (and even if they used SHA/MD5, still quite hard to crack)."

I hear what you're saying, but I disagree. You're thinking the here and now. I'm looking up the street a few blocks.We are rapidly approaching a point where passwords (anything that's even remotely rememberable) are going to be obsolete.

Do you really expect people to cut-and-paste 128 character passwords off of the Internet? It ain't going to happen.

So changing your password would simply increase the time required for the hack to get the password?

It's a dictionary attack, so only if you use another dictionary word.

I see, but the articles says:

More often than not, though, the capture can be completed in under a minute. With possession of the underlying hash, an attacker is then free to perform an unlimited number of "offline" password guesses until the right one is tried.

Do I understand correctly that once they have the hash, the fact that the password was auto-generated in such way just shortens the time it takes for the attacker to find it? Isn't this the big problem,rather than the way the auto-password was generated? What's preventing the hacker to run through all possible combinations until the right one is found?

While Apple could improve their algorithm by increasing their dictionary, I'm fairly certain that customer satisfaction with this feature would fall sharply if they actually made their passwords cryptographically difficult. I constantly watch people try and fail to to enter complicated passwords, especially on phones and tablets.

I don't think Apple's reputation would actually improve among users if, in return for making their hotspots more secure, the reaction of most people to using an Apple instant hotspot became "Oh God, another impossible to dictate, impossible to remember, impossible to type Apple password".

I think they're mostly making the right trade-off (they might consider expanding the dictionary.)

I don't know about your iphone but mine needs to be on the settings "wireless hotspot" pane before it allows me to use the phone as a wifi router. The possibility of someone unknowingly using that feature seems low. Plus there is a loud color banner that mentions hotspot connection count on the phone header.